xref: /openbmc/u-boot/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt (revision 9ba5e5bc261a16f51662490da0cf620dc7f29013)
1         +=======================================================+
2         +   i.MX6, i.MX7 U-Boot Secure Boot guide using HABv4   +
3         +=======================================================+
4
51. HABv4 secure boot process
6-----------------------------
7
8This document describes a step-by-step procedure on how to sign and securely
9boot an U-Boot image for non-SPL targets. It is assumed that the reader is
10familiar with basic HAB concepts and with the PKI tree generation.
11
12Details about HAB can be found in the application note AN4581[1] and in the
13introduction_habv4.txt document.
14
151.1 Building a u-boot-dtb.imx image supporting secure boot
16-----------------------------------------------------------
17
18The U-Boot provides support to secure boot configuration and also provide
19access to the HAB APIs exposed by the ROM vector table, the support is
20enabled by selecting the CONFIG_SECURE_BOOT option.
21
22When built with this configuration, the U-Boot provides extra functions for
23HAB, such as the HAB status logs retrievement through the hab_status command
24and support for extending the root of trust.
25
26The U-Boot also correctly pads the final image by aligning to the next 0xC00
27address, so the CSF signature data generated by CST can be concatenated to
28image.
29
30The diagram below illustrate a signed u-boot-dtb.imx image layout:
31
32            ------- +-----------------------------+ <-- *start
33                ^   |      Image Vector Table     |
34                |   +-----------------------------+ <-- *boot_data
35                |   |          Boot Data          |
36                |   +-----------------------------+ <-- *dcd
37                |   |          DCD Table          |
38                |   +-----------------------------+
39         Signed |   |           Padding           |
40          Data  |   +-----------------------------+ <-- *entry
41                |   |                             |
42                |   |                             |
43                |   |       u-boot-dtb.bin        |
44                |   |                             |
45                |   |                             |
46                |   +-----------------------------+
47                v   |           Padding           |
48            ------- +-----------------------------+ <-- *csf
49                    |                             |
50                    | Command Sequence File (CSF) |
51                    |                             |
52                    +-----------------------------+
53                    |      Padding (optional)     |
54                    +-----------------------------+
55
561.2 Enabling the secure boot support
57-------------------------------------
58
59The first step is to generate an U-Boot image supporting the HAB features
60mentioned above, this can be achieved by adding CONFIG_SECURE_BOOT to the
61build configuration:
62
63- Defconfig:
64
65  CONFIG_SECURE_BOOT=y
66
67- Kconfig:
68
69  ARM architecture -> Support i.MX HAB features
70
711.3 Creating the CSF description file
72--------------------------------------
73
74The CSF contains all the commands that the HAB executes during the secure
75boot. These commands instruct the HAB on which memory areas of the image
76to authenticate, which keys to install, use and etc.
77
78CSF examples are available under doc/imx/habv4/csf_examples/ directory.
79
80A build log containing the "Authenticate Data" parameters is available after
81the U-Boot build, the example below is a log for mx7dsabresd_defconfig target:
82
83- mkimage build log:
84
85  $ cat u-boot-dtb.imx.log
86
87  Image Type:   Freescale IMX Boot Image
88  Image Ver:    2 (i.MX53/6/7 compatible)
89  Mode:         DCD
90  Data Size:    667648 Bytes = 652.00 KiB = 0.64 MiB
91  Load Address: 877ff420
92  Entry Point:  87800000
93  HAB Blocks:   0x877ff400 0x00000000 0x0009ec00
94                ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^
95                |          |          |
96                |          |          ------- (1)
97                |          |
98                |          ------------------ (2)
99                |
100                ----------------------------- (3)
101
102  (1)   Size of area in file u-boot-dtb.imx to sign.
103        This area should include the IVT, the Boot Data the DCD
104        and the U-Boot itself.
105  (2)   Start of area in u-boot-dtb.imx to sign.
106  (3)   Start of area in RAM to authenticate.
107
108- In "Authenticate Data" CSF command users can copy and past the output
109  addresses:
110
111  Block = 0x877ff400 0x00000000 0x0009ec00 "u-boot-dtb.imx"
112
1131.4 Signing the U-Boot binary
114------------------------------
115
116The CST tool is used for singing the U-Boot binary and generating a CSF binary,
117users should input the CSF description file created in the step above and
118should receive a CSF binary, which contains the CSF commands, SRK table,
119signatures and certificates.
120
121- Create CSF binary file:
122
123  $ ./cst -i csf_uboot.txt -o csf_uboot.bin
124
125- Append CSF signature to the end of U-Boot image:
126
127  $ cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx
128
129The u-boot-signed.imx is the signed binary and should be flashed into the boot
130media.
131
132- Flash signed U-Boot binary:
133
134  $ sudo dd if=u-boot-signed.imx of=/dev/sd<x> bs=1K seek=1 && sync
135
1361.5 Programming SRK Hash
137-------------------------
138
139As explained in AN4581[1] and in introduction_habv4.txt document the SRK Hash
140fuse values are generated by the srktool and should be programmed in the
141SoC SRK_HASH[255:0] fuses.
142
143Be careful when programming these values, as this data is the basis for the
144root of trust. An error in SRK Hash results in a part that does not boot.
145
146The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs.
147
148- Dump SRK Hash fuses values in host machine:
149
150  $ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
151  0x20593752
152  0x6ACE6962
153  0x26E0D06C
154  0xFC600661
155  0x1240E88F
156  0x1209F144
157  0x831C8117
158  0x1190FD4D
159
160- Program SRK_HASH[255:0] fuses, using i.MX6 series as example:
161
162  => fuse prog 3 0 0x20593752
163  => fuse prog 3 1 0x6ACE6962
164  => fuse prog 3 2 0x26E0D06C
165  => fuse prog 3 3 0xFC600661
166  => fuse prog 3 4 0x1240E88F
167  => fuse prog 3 5 0x1209F144
168  => fuse prog 3 6 0x831C8117
169  => fuse prog 3 7 0x1190FD4D
170
171The table below lists the SRK_HASH bank and word according to the i.MX device:
172
173    +-------------------+---------------+---------------+---------------+
174    |                   |  i.MX6 Series |    i.MX7D/S   |    i.MX7ULP   |
175    +-------------------+---------------+---------------+---------------+
176    | SRK_HASH[31:00]   | bank 3 word 0 | bank 6 word 0 | bank 5 word 0 |
177    +-------------------+---------------+---------------+---------------+
178    | SRK_HASH[63:32]   | bank 3 word 1 | bank 6 word 1 | bank 5 word 1 |
179    +-------------------+---------------+---------------+---------------+
180    | SRK_HASH[95:64]   | bank 3 word 2 | bank 6 word 2 | bank 5 word 2 |
181    +-------------------+---------------+---------------+---------------+
182    | SRK_HASH[127:96]  | bank 3 word 3 | bank 6 word 3 | bank 5 word 3 |
183    +-------------------+---------------+---------------+---------------+
184    | SRK_HASH[159:128] | bank 3 word 4 | bank 7 word 0 | bank 5 word 4 |
185    +-------------------+---------------+---------------+---------------+
186    | SRK_HASH[191:160] | bank 3 word 5 | bank 7 word 1 | bank 5 word 5 |
187    +-------------------+---------------+---------------+---------------+
188    | SRK_HASH[223:192] | bank 3 word 6 | bank 7 word 2 | bank 5 word 6 |
189    +-------------------+---------------+---------------+---------------+
190    | SRK_HASH[255:224] | bank 3 word 7 | bank 7 word 3 | bank 5 word 7 |
191    +-------------------+---------------+---------------+---------------+
192
1931.6 Verifying HAB events
194-------------------------
195
196The next step is to verify that the signature attached to U-Boot is
197successfully processed without errors. HAB generates events when processing
198the commands if it encounters issues.
199
200The hab_status U-Boot command call the hab_report_event() and hab_status()
201HAB API functions to verify the processor security configuration and status.
202This command displays any events that were generated during the process.
203
204Prior to closing the device users should ensure no HAB events were found, as
205the example below:
206
207- Verify HAB events:
208
209  => hab_status
210
211  Secure boot disabled
212
213  HAB Configuration: 0xf0, HAB State: 0x66
214  No HAB Events Found!
215
2161.7 Closing the device
217-----------------------
218
219After the device successfully boots a signed image without generating any HAB
220events, it is safe to close the device. This is the last step in the HAB
221process, and is achieved by programming the SEC_CONFIG[1] fuse bit.
222
223Once the fuse is programmed, the chip does not load an image that has not been
224signed using the correct PKI tree.
225
226- Program SEC_CONFIG[1] fuse, using i.MX6 series as example:
227
228  => fuse prog 0 6 0x00000002
229
230The table below list the SEC_CONFIG[1] bank and word according to the i.MX
231device:
232
233             +--------------+-----------------+------------+
234             |    Device    |  Bank and Word  |    Value   |
235             +--------------+-----------------+------------+
236             | i.MX6 Series |  bank 0 word 6  | 0x00000002 |
237             +--------------+-----------------+------------+
238             | i.MX7D/S     |  bank 1 word 3  | 0x02000000 |
239             +--------------+-----------------+------------+
240             | i.MX7ULP     |  bank 29 word 6 | 0x80000000 |
241             +--------------+-----------------+------------+
242
2431.8 Completely secure the device
244---------------------------------
245
246Additional fuses can be programmed for completely secure the device, more
247details about these fuses and their possible impact can be found at AN4581[1].
248
249- Program SRK_LOCK, using i.MX6 series as example:
250
251  => fuse prog 0 0 0x4000
252
253- Program DIR_BT_DIS, using i.MX6 series as example:
254
255  => fuse prog 0 6 0x8
256
257- Program SJC_DISABLE, using i.MX6 series as example:
258
259  => fuse prog 0 6 0x100000
260
261- JTAG_SMODE, using i.MX6 series as example:
262
263  => fuse prog 0 6 0xC00000
264
265The table below list the SRK_LOCK, DIR_BT_DIS, SJC_DISABLE, and JTAG_SMODE bank
266and word according to the i.MX device:
267
268              +--------------+---------------+------------+
269              |    Device    | Bank and Word |   Value    |
270              +--------------+---------------+------------+
271              |                  SRK_LOCK                 |
272              +-------------------------------------------+
273              | i.MX6 Series | bank 0 word 0 | 0x00004000 |
274              +--------------+---------------+------------+
275              | i.MX7D/S     | bank 0 word 0 | 0x00000200 |
276              +--------------+---------------+------------+
277              | i.MX7ULP     | bank 1 word 1 | 0x00000080 |
278              +--------------+---------------+------------+
279              |                 DIR_BT_DIS                |
280              +-------------------------------------------+
281              | i.MX6 Series | bank 0 word 6 | 0x00000008 |
282              +--------------+---------------+------------+
283              | i.MX7D/S     | bank 1 word 3 | 0x08000000 |
284              +--------------+---------------+------------+
285              | i.MX7ULP     | bank 1 word 1 | 0x00002000 |
286              +--------------+---------------+------------+
287              |                 SJC_DISABLE               |
288              +-------------------------------------------+
289              | i.MX6 Series | bank 0 word 6 | 0x00100000 |
290              +--------------+---------------+------------+
291              | i.MX7D/S     | bank 1 word 3 | 0x00200000 |
292              +--------------+---------------+------------+
293              | i.MX7ULP     | bank 1 word 1 | 0x00000020 |
294              +--------------+---------------+------------+
295              |                 JTAG_SMODE                |
296              +-------------------------------------------+
297              | i.MX6 Series | bank 0 word 6 | 0x00C00000 |
298              +--------------+---------------+------------+
299              | i.MX7D/S     | bank 1 word 3 | 0x00C00000 |
300              +--------------+---------------+------------+
301              | i.MX7ULP     | bank 1 word 1 | 0x000000C0 |
302              +--------------+---------------+------------+
303
3042. Extending the root of trust
305-------------------------------
306
307The High Assurance Boot (HAB) code located in the on-chip ROM provides an
308Application Programming Interface (API) making it possible to call back
309into the HAB code for authenticating additional boot images.
310
311The U-Boot supports this feature and can be used to authenticate the Linux
312Kernel Image.
313
314The process of signing an additional image is similar to the U-Boot.
315The diagram below illustrate the zImage layout:
316
317            ------- +-----------------------------+ <-- *load_address
318                ^   |                             |
319                |   |                             |
320                |   |                             |
321                |   |                             |
322                |   |           zImage            |
323         Signed |   |                             |
324          Data  |   |                             |
325                |   |                             |
326                |   +-----------------------------+
327                |   |    Padding Next Boundary    |
328                |   +-----------------------------+ <-- *ivt
329                v   |     Image Vector Table      |
330            ------- +-----------------------------+ <-- *csf
331                    |                             |
332                    | Command Sequence File (CSF) |
333                    |                             |
334                    +-----------------------------+
335                    |     Padding (optional)      |
336                    +-----------------------------+
337
3382.1 Padding the image
339----------------------
340
341The zImage must be padded to the next boundary address (0x1000), for instance
342if the image size is 0x649920 it must be padded to 0x64A000.
343
344The tool objcopy can be used for padding the image.
345
346- Pad the zImage:
347
348  $ objcopy -I binary -O binary --pad-to 0x64A000 --gap-fill=0x00 \
349	zImage zImage_pad.bin
350
3512.2 Generating Image Vector Table
352----------------------------------
353
354The HAB code requires an Image Vector Table (IVT) for determining the image
355length and the CSF location. Since zImage does not include an IVT this has
356to be manually created and appended to the end of the padded zImage, the
357script genIVT.pl in script_examples directory can be used as reference.
358
359- Generate IVT:
360
361  $ genIVT.pl
362
363Note: The load Address may change depending on the device.
364
365- Append the ivt.bin at the end of the padded zImage:
366
367  $ cat zImage_pad.bin ivt.bin > zImage_pad_ivt.bin
368
3692.3 Signing the image
370----------------------
371
372A CSF file has to be created to sign the image. HAB does not allow to change
373the SRK once the first image is authenticated, so the same SRK key used in
374U-Boot must be used when extending the root of trust.
375
376CSF examples are available in ../csf_examples/additional_images/
377directory.
378
379- Create CSF binary file:
380
381  $ ./cst --i csf_additional_images.txt --o csf_zImage.bin
382
383- Attach the CSF binary to the end of the image:
384
385  $ cat zImage_pad_ivt.bin csf_zImage.bin > zImage_signed.bin
386
3872.4 Verifying HAB events
388-------------------------
389
390The U-Boot includes the hab_auth_img command which can be used for
391authenticating and troubleshooting the signed image, zImage must be
392loaded at the load address specified in the IVT.
393
394- Authenticate additional image:
395
396  => hab_auth_img <Load Address> <Image Size> <IVT Offset>
397
398If no HAB events were found the zImage is successfully signed.
399
400References:
401[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
402 HABv4" - Rev 2.
403